March 17, 2013    /    by

New NIST Cybersecurity Framework: Your Input Needed

The National Institute of Standards and Technology (NIST) issued a press release recently announcing the development of a new framework to reduce cyber risk. What do they need right now? Your input.

The day after President Obama released the “Improving Critical Infrastructure Cybersecurity Executive Order,” the National Institute of Standards and Technology (NIST) issued this press release announcing the development of a new framework to reduce cyber risk.

What do they need right now? Your input by April 8.

Here’s an excerpt from the February 13, 2013, press release:

The National Institute of Standards and Technology (NIST) today announced the first step in the development of a Cybersecurity Framework, which will be a set of voluntary standards and best practices to guide industry in reducing cyber risks to the networks and computers that are vital to the nation’s economy, security and daily life.

… In accordance with the Executive Order, the Secretary of Commerce has directed the Director of NIST to lead the development of a framework to reduce cyber risks to critical infrastructure, such as power plants and financial, transportation and communications systems. NIST will issue a Request for Information from critical infrastructure owners and operators, federal agencies, state, local, territorial and tribal governments, standards-setting organizations, other members of industry, consumers, solution providers and other stakeholders….

Stakeholder meetings are also a part of the framework process. The first meeting will be held April 3 at NIST headquarters in Gaithersburg, Md. For more information on this workshop or to register, go to this NIST website.

Many public and private sector organizations are talking about this new framework and the corresponding development process now, as demonstrated by this blog by Rodney Petersen from EDUCAUSE. Rodney points out that: “EDUCAUSE and Internet2 are working with the Higher Education Information Security Council to review the Questions in the RFI to develop a higher education response.”

In addition, I am aware of efforts by the National Association of Chief Information Officers (NASCIO) and the Multi-State Information Sharing & Analysis Center (MS-ISAC) to gather input to this request by NIST. Whether these organizations compile a combined RFI response from states or just encourage state and local governments to respond individually is not clear at this time.

The Request for Information (RFI) can be seen here, and related comments should be e-mailed to cyberframework@nist.gov by April 8, 2013 with the subject line: "Developing a Framework to Improve Critical Infrastructure Cybersecurity."

I urge you and your organization or government to engage in this overall process. It is far too easy to complain about what is or what is not happening in Washington D.C. regarding cybersecurity. It is another matter entirely to be a part of the solution. This framework will provide an important piece to our roadmap over the next four-plus years, and we all need to get involved.

Related Congressional Developments on Cybersecurity

In a related development, DHS Secretary Janet Napolitano recently testified on the cybersecurity executive order. Here’s an excerpt from the Homeland Security Newswire article:

 “Cybersecurity has become a hot topic recently, as information emerged about a series of cyber attacks by on U.S. Banks, Microsoft, the New York Times, the Wall Street Journal, Bloomberg, and many other companies. A detailed expert report confirmed that these attacks, and others, were the work of operatives working for china’s military intelligence services (see “Chinese government orchestrates cyberattacks on U.S.: experts,” HSNW, 19 February 2013).

The Hill reports that these attacks now have lawmakers concerned about a more destructive attacks on water systems, financial institutions, transportation, utilities, and other critical infrastructure….

Senate Commerce Committee chairman Jay Rockefeller (D-West Virginia) said in a statement that the threat of a cyber attack is higher than ever, especially since the Congress failed to pass any cybersecurity legislation last year. “We simply cannot afford to wait any longer to adequately protect ourselves.” Rockefeller said in his statement….”

Just yesterday, the news came out that the McCaul-Lipinski Cybersecurity Enhancement Act advances to House floor. This legislation passed the House in 2012 and 2010 with overwhelming bipartisan support. The bill:

• Improves coordination in government, providing for a strategic plan to assess the cybersecurity risk and guide the overall direction of federal cyber research and development.

• Updates the National Institutes of Standards and Technology (NIST) responsibilities to develop security standards to harden our federal networks and processes for agencies to follow.

• Establishes a federal-university-private-sector task force to coordinate research and development, improve training of cyber professionals.

• Continues much-needed cybersecurity research and development programs at the National Science Foundation and NIST.

Presidential Actions On Cyber This Week

Meanwhile, President Obama hosted an unprecedented meeting with CEOs this past week on cybersecurity threats facing our nation. The New York Times reported on the meeting that, “Mr. Obama wanted to hear directly from industry leaders about how vulnerable their companies were to computer attacks. The president also wanted to discuss efforts the government was taking to address threats.”

In an interview with ABC News, the President also answered questions on cyber threats. Here’s that exchange:

PRESIDENT BARACK OBAMA:
Well, I think– you al– always have to be careful war analogies. Because, you know, there’s a big difference between– them engaging in cyber espionage or cyber attacks and– obviously– a hot war. What– is absolutely true– is that we have seen– a steady ramping up of cyber security threats. Some are state sponsored. Some are just sponsored by criminals. The–

GEORGE STEPHANOPOULOS:
But some are state sponsored?

PRESIDENT BARACK OBAMA:
Absolutely. And– and billions of dollars are lost to the consequences. You know, industrial secrets are stolen. Our companies are put into competitive disadvantage. You know, there are disruptions to our systems– that, you know, involve everything from our financial systems to some of our infrastructure.

And this is why I’ve taken some very aggressive executive actions. But we need Congress to act. We’ve put before Congress what exactly we need that will protect people’s privacy and civil liberties, but will also make sure that our overall system, both public and private, are protected from these kinds of attacks.

In conclusion, there is definitely a new sense of urgency to these cybersecurity matters. The topic of cyberdefense has now been elevated to the highest executive levels in the public and private sectors, even entering the conversation alongside such topics as the national debt, the economy and North Korean concerns.

State and local governments need to have this same sense of urgency on policies related to cyber. Get involved.

What are your thoughts on recent developments?